trickbot | 9c3000a3f533570e1faadd7cf8f23eb97a00aab0fac95c2e54debdf1a6f051ac

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689.dll
Size

523KB
MD5

b639dd87bf7b264f6f9abf7a539cc820
SHA1

bbede20621c9c3c2f9ae12951161510898943576
SHA256

024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689
SHA512

5c610963212ee97bc6f54a146e46f7066d589583bc2a7e5bafbbdb024394f06d0d63191bef84ad117565e0290eb60c3ef41939965b0e855104c306f9c2d8a78e
SSDEEP

6144:jVgB84PzDjnZtI9l1RZWhprVUGpZAo6j1/iFi0MWFVIuSPsLc5S+wT7g7A/o:jGBLDjkFRZUVBDAo4qk0MlY2M87A/o

Score

10^/10

trickbot chil43 banker packer trojan

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil43

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral1/memory/2696-4-0x0000000010000000-0x000000001002D000-memory.dmp	templ_dll
behavioral1/memory/2696-0-0x00000000004F0000-0x000000000051E000-memory.dmp	templ_dll
behavioral1/memory/2696-7-0x0000000000230000-0x000000000025B000-memory.dmp	templ_dll

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	wermgr.exe
Token: SeDebugPrivilege	3024	wermgr.exe
Token: SeDebugPrivilege	3024	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 1936 wrote to memory of 2696	1936	regsvr32.exe	28
PID 2696 wrote to memory of 3024	2696	regsvr32.exe	29
PID 2696 wrote to memory of 3024	2696	regsvr32.exe	29
PID 2696 wrote to memory of 3024	2696	regsvr32.exe	29
PID 2696 wrote to memory of 3024	2696	regsvr32.exe	29
PID 2696 wrote to memory of 3024	2696	regsvr32.exe	29
PID 2696 wrote to memory of 3024	2696	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-4-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2696-0-0x00000000004F0000-0x000000000051E000-memory.dmp

Filesize
184KB

Download
memory/2696-8-0x0000000002170000-0x00000000021A8000-memory.dmp

Filesize
224KB

Download
memory/2696-7-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2696-9-0x0000000000540000-0x0000000000543000-memory.dmp

Filesize
12KB

Download
memory/2696-11-0x0000000002170000-0x00000000021A8000-memory.dmp

Filesize
224KB

Download
memory/2696-12-0x0000000000540000-0x0000000000543000-memory.dmp

Filesize
12KB

Download
memory/3024-10-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/3024-13-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download